Kent and Medway Care Record – Privacy Notice
This guidance is intended to provide a template as a privacy notice for inclusion in local authority, Clinical Commissioning Groups and care providers’ (Acute and Mental Health Trusts, Community and Primary Care) websites and mobile apps, as appropriate. This must be put in place prior to any live data being accessed via the Kent and Medway Care Record (KM Care Record).
Providers of information (data controllers) need to consider additional notices that may be required, paying particular regard to standards for accessibility – refer: https://accessibility.campaign.gov.uk/
The obligations and relationship of data Controllers and Processors are set out in the KM Care Record Data Processing Agreement (DPA) and Joint Controllers Agreement (JCA).
The Controller, Joint Controller and Processor obligations are further defined in the EU General Data Protection Regulation 2016/679 (GDPR) Articles 24, 26, and 28 respectively. Now UK GDPR as brought into UK laws by the Data Protection Act 2018.
The rights of the data subject are set out in GDPR Chapter 3, Articles 12 through 23, and are reflected within this privacy notice.
Controllers must ensure they are aware of their duties and what they need to do, to give assurance that they have put appropriate measures in place prior to giving access to live patient data on the KM Care Record Service. Additional considerations must include the need for hard copy privacy notices (leaflets, posters etc.) at point of care.
Future considerations could also include, but are not limited to:
- Child Services, e.g. the need to publish child friendly versions of privacy notice (for ages <13)
- Learning disability support services, e.g. ‘Widgit’ software that turns words into pictures https://www.widgit.com
The privacy notice will need further review in detail when the KM Care Record Service is extended to secondary uses, as it becomes arguably more important to ensure people are aware of their rights and how to exercise them.
Data Protection Privacy Notice for the Kent & Medway Care Record (KM Care Record) Service
About the KM Care Record
Welcome. The KMCR is a secure virtual health and social care record used only by health and care organisations across the Kent and Medway areas including:
- GP practices currently registered with Kent and Medway Clinical Commissioning Groups (CCG)
- 4 NHS Trusts and 2 Mental Health Trusts
- South East Coast Ambulance Service
- Kent County Council and Medway Council Social Care Teams;
A full list of current and proposed providers can be found in the section: “Organisations we share your personal information with” below.
What is the Kent & Medway Care Record (KM Care Record)?
The Kent & Medway Care Record is an Electronic Health Record linking system that provides a read-only summary of that data (information) to a health or social care professional when required for the purpose of providing your health and social care. The system, provided by Graphnet, brings together patient/client’s information across health and social care systems in a secure manner, giving a summary of your information from within a number of local records.
Benefits of such a system are:
- Improved quality of care – information about your care will be instantly available to professionals to enable accurate diagnosis and on-going treatment. Duplication of tests will be avoided.
- Improved patient safety – there will be greater visibility for health and social care providers about your current medications, allergies and adverse reactions.
- Reduced delays in care – test results will be readily available reducing waiting times.
The KM Care Record pulls your information from several important areas of health and care including:
- Primary care e.g. GP practices
- Secondary care e.g. hospitals
- Specialist services e.g. South East Ambulance services
Additional data may also be collected online within KM Care Record Forms for both direct patient care and social care. These are typically use for patient assessments and planning of services, e.g.
- Integrated care and support plan
All organisations take the duty to protect your personal information and confidentiality very seriously and are committed to taking all reasonable measures to ensure the confidentiality and security of personal information for which they are responsible. The KM Care Record system has been built in such a way as to ensure its use can be audited at any time. This allows confidentiality to be monitored where necessary
The purpose(s) of the sharing:
The KM Care Record allows authorised workers in health or social care, easy access to your information that is critical to support decision-making about your care and treatment.
It shares important information about your health and care including:
- Any current health or care issues
- Results of any recent tests that you may have had
- Details on any plans created for your care or treatment
- Information on any social care or carer support you may receive
Information recorded about you across the NHS and care organisations
When you contact an NHS or care organisation as a patient / service user, organisations collect information about you and keep records about the care and services provided. If you contact organisations for any other reason they may also record information about you e.g. complaints or dealing with Freedom of Information requests.
All partner organisations listed are registered with the Information Commissioner’s Office to process your personal information in accordance with the current Data Protection Act 2018 and any subsequent revisions. The data protection notifications for all participating organisations can be found on the Information Commissioner’s website at www.ico.gov.uk. This guidance explains the types of information that is recorded about you, why this is necessary and the ways in which this information may be used. It also covers:
The categories of personal information we share:
Personal identifiable information (or personal data) means any information about an individual from which, on its own or together with other information, that person may be identified. It does not include information where the identity has been removed (anonymous data). The personal data that is collected and shared includes:
- Identifying Data:basic details about yourself e.g. Forename, Surname, Address, Date of Birth, Gender, Age, Postal Address, Postcode, Telephone Number, Email address, NHS Number and Hospital ID
- Special categoriesof Personal Data: Racial or ethnic origin, Physical/mental health or condition. For example, contact we have had with you such as appointments or clinic visits; notes and reports about your health, treatment and care; results of x-rays, scans and laboratory tests; relevant information from people who care for you and know you well such as health staff and relatives /carers; alerts and/or notifications for example high risk medicines.
- Identifying Data: basic details about other individuals that may be involved in providing your care or support services, e.g. emergency contacts, relatives, mobility service providers, home care support.
However, not every element of personal data is part of the joint record. Your information is not disclosed to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on such information. An example of the sensitive information that will be left out is fertility treatment records.
It is essential that your details are accurate and up to date. Always check that your personal details are correct and please inform us of any changes as soon as possible. If you think any information is inaccurate or incorrect then please contact your health or care provider to discuss this further. This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.
What is the lawful basis for the sharing?
The processing (sharing) of personal data for these purposes is permitted under Articles 6(1) (d) and 6(1) (e) of the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 (DPA):
- Vital Interest: processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public Task: the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing (sharing) of special categories of personal data via the KM Care Record system is permitted under Article 9 (2) (b) and (h) and Article 10 of the UK GDPR and the UK Data Protection Act 2018 (DPA):
- Direct Care and Administration: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards.
KM Care Record testing is required to validate accuracy and completeness of patient records within the system. This is a clinical safety issue and supported under UK GDPR Article 6(1)(e) official authority, and Article 9(2)(b) where information technology staff (who are not healthcare professionals) will be appraising the data. The data used for testing will be anonymised wherever possible, minimised where live patient data is necessary, and only used in a proportionate manner to meet the test criteria. All such data will be deleted from the test system immediately upon completion of the tests.
- Criminal Offence: Criminal offence data is limited to that which relates to your health or care, a comprehensive register of criminal convictions will not be kept and the condition of Article 10 of the UK GDPR as well as s10(5) of the DPA 2018 has been fulfilled.
The legal obligation relies on the Health and Social Care Act 2012 s251(b) (as amended by the Health and Social Care (Safety and Quality) Act 2015 which created a statutory ‘duty to share’).
We will also recognise your rights established under UK case law collectively known as the “Common Law Duty of Confidentiality” to keep information about you confidential.
Organisations we share your personal information with:
Personal Data (including special category data) will only be shared between the health and social care organisations which have signed the KM Care Record Joint Controller or Data Sharing Agreement, and authorised data processors for the purposes of providing health and social care. These currently include:
- Dartford and Gravesham NHS Trust (D&G)
- East Kent Hospitals University NHS Foundation Trust (EKHUFT)
- Medway Maritime Hospital - Medway NHS Foundation Trust (MFT)
- Maidstone and Tunbridge Wells NHS Trust (MTW)
- Kent and Medway Partnership NHS and Social Care Partnership Trust (KMPT)
- North East London Foundation Trust (NELFT)
- Kent Community Health NHS Foundation Trust (KCHFT)
- Medway Community Healthcare (MCH)
- South East Coast Ambulance Service (SECAmb)
- Integrated Care 24 (IC24)
- Out of Hours providers (currently IC24, SECAmb and MCH)
- Kent and Medway Clinical Commissioning Group (KM CCG)
- Kent County Council (children and adults services) (KCC)
- Medway Council (children and adults services) (MWC)
In the future it is likely that the KM Care Record will be extended to a wider range of health and care providers. This may include:
- Other Providers of community health services
- Community Pharmacies (Chemists)
How will the information be made available?
The information is accessed in real time and on-demand and presented as a read only view; meaning that the information from a provider’s local record is not changed. Access to your information depends on the user having access in their own clinical systems, so professionals can only see information regarding individuals that are being referred for care or treatment or are being treated by them.
E-Forms containing additional information about health and health assessments and planning of services may be created directly and stored within KM Care Record. Also, where relevant, KMCR e-Forms used for assessments of care service planning will be copied to the patient and this may contain historical background health information about the patient.
How long do we keep your record?
The KM Care Record is only primarily used to share, rather than store, data contained within a local record, although some data may be created and stored within KM Care Record forms regarding health assessments and planning of care services. Your records are kept for as long as necessary by local partners in accordance with your care. The retention schedules are aligned to the best practice outlined by NHS Digital. This information can be found in a document called “NHS Records Management Code of Practice for Health and Social Care 2020” and can be found on the following link - NHS Records Management Code of Practice for Health and Social Care 2020
How we keep your personal information safe and secure?
To protect personal and special category information we ensure the information we hold is kept in secure locations and restrict access to information to authorised personnel only.
Our appropriate technical and security measures include:
- robust policies and procedures e.g. password protection
- technical security measures to prevent unauthorised access
- complying with Data Protection Legislation;
- encrypting information transmitted between partners;
- implementing and maintaining business continuity, disaster recovery and other relevant policies and procedures
- use of ‘user access authentication’ mechanisms to ensure that all instances of access to any Personal Data under the Kent Medway Care Record (KM Care Record) system are auditable against an individual; i.e. role-based access and smartcard use to ensure appropriate and authorised access
- ensuring that all employees and contractors who are involved in the processing of Personal Data are suitably trained, on an annual basis, in maintaining the privacy and security of the Personal Data and are under contractual or statutory obligations of confidentiality concerning the Personal Data.
- Regular audit of practices to ensure adherence against these criteria
The NHS Digital Code of Practice on Confidential Information applies to all staff who access the KM Care Record, they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.
All staff with access to Personal Data are trained to ensure information is kept confidential.
What are your rights?
Under the Data Protection Legislation, you have the right:
- To be informed of the uses of your data- this enables you to be informed how your data is processed. (the purpose of this document)
- Of access - this enables you to receive a copy of the personal information held about you and to check the lawful processing of it.
- To rectification - this enables you to have any incomplete or inaccurate information held about you corrected
- To erasure - this enables you to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding lawful grounds to continue to process your data.
- To restrict processing - this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- To data portability - this enables you to transfer your electronic personal information to another party.
- To object - You have the right to object to processing of personal data about you on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds.
- In relation to automated decision making & profiling - this enables you to be told if your data is being processed using automated software note: there is no automated decision making or profiling in KMCR).
If you wish to exercise your rights in any of the ways described above you should contact the Data Protection Officer at the care giving organisation.
How can I access the information you keep about me?
To access your Personal Data you should contact your health or care provider in the first instance, to discuss this further. This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.
You have a right to see or obtain a copy of personal information that we hold about you in accordance with UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018 (DPA).
All requests for access to personal information must be submitted verbally or in writing. Please note proof of identity will be required for us to be able to assist you.
Correcting inaccurate information
If you believe that we hold inaccurate information in your health or care record you should contact your health or care provider in the first instance, to discuss this further. This could be your GP practice or the health or social care staff that provided or are currently providing your treatment and care.
How can I object to my data being shared via KM Care Record?
You have the right to object to your information being shared on the KM Care Record on grounds relating to your particular situation. The right is not absolute and we may continue to use the data if we can demonstrate compelling legitimate grounds. When considering your objection, we will consider whether you can still be provided with safe individual care.
We ask you to think carefully before making this decision. Sharing your health and social care information will make it easier for services to provide the best treatment and care for you when you most need it.
Health and social care staff use your confidential information to help with your treatment and care. For example, when you visit a hospital your consultant may need to know the medicines you take.
If you do wish to object, you should contact your health or social care provider involved in your care, and understand what it means for you.
If you choose to object:
- You may have to answer questions repeatedly because your full history may not be available to the care professional assessing you.
- Decisions about your care may take longer, even in emergency situations, as history needs to be confirmed.
- Some medical tests may get repeated unnecessarily e.g. if you had a blood test with your hospital consultant, your GP may not be able to see this.
Right to complain:
You can get further advice or report a concern directly to the KCHFT Data Protection Officer at firstname.lastname@example.org.
You also have the right to contact the UK’s data protection supervisory authority (Information Commissioner’s Office) by:
- Post:Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
- Telephone:0303 123 1113 (local rate) or 01625 545745 (national rate)
Further information about the way in which the NHS uses personal information and your rights is published by NHS Digital:
Your NHS Data Matters and the National Data Opt-Out
The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Visit the website below to find out more information or to opt-out of having your patient information being used for research and planning.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- Improving the quality and standards of care provided
- Research into the development of new treatments
- Preventing illness and diseases
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations.
Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit https://www.nhs.uk/your-nhs-data-matters On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
https://www.hra.nhs.uk/information-about-patients which covers health and care research); andhttps://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
KM Care Record is compliant with the national data opt-out policy.
The NHS Constitution
The NHS Constitution establishes the principles and values of the NHS in England. It sets out the rights patients, the public and staff are entitled to. These rights cover how patients access health services, the quality of care you will receive, the treatments and programmes available to you, confidentiality, information and your right to complain if things go wrong.
NHS Digital collects health information from the records health and social care providers keep about the care and treatment they give, to promote health or support improvements in the delivery of care services in England.
Reviews of and Changes to this Privacy Notice
We will review the information contained within this notice regularly and update it as required. We therefore recommend that you check this webpage regularly to remain informed about the way in which we use your information.
This version was last updated by the KM Care Record on the 04/08/2021